Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin
User Bank
Content Delivery Networks host their customers’ websites customer’s origin server
Content Delivery Networks host their customers’ websites CDN’s CDNs edge server customer’s origin server
CDNs CDNs reduce page load times CDN’s edge server customer’s origin server
CDNs CDNs reduce page load times CDN’s edge server customer’s origin server
CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server
CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server
Customers share their keys with CDNs CDN’s edge server
Customers share their keys with CDNs CDN’s edge server bank’s private key
Key sharing is widespread Cangialosi et al., CCS 2016
Key sharing is widespread 43% of the top 10k most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016
Key sharing is widespread 43% of the top 10k most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016 The web has consolidated keys in the hands of a few CDNs
Keyless SSL Introduced by Cloudflare to mitigate key sharing
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin)
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key
Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys
Keyless SSL Introduced by Cloudflare to mitigate key sharing In practice: CDN Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys
Can we Maintain privacy using Legacy applications on Third-party resources ?
Maintain privacy The CDN is no more trusted than a standard on-path attacker Legacy applications Third-party resources
Maintain privacy The CDN is no more trusted than a standard on-path attacker Legacy applications No changes to existing code-bases; facilitates deployment and adoption Third-party resources
Maintain privacy The CDN is no more trusted than a standard on-path attacker Legacy applications No changes to existing code-bases; facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs
Maintain privacy The CDN is no more trusted than a standard on-path attacker Legacy applications No changes to existing code-bases; facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs
Phoenix Maintain privacy The CDN is no more trusted than a standard on-path attacker Legacy applications No changes to existing code-bases; facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs
Trusted execution environments By default, assume all system components are untrusted Application Code Operating Service System Hardware
Trusted execution environments By default, assume all system components are untrusted Application Code Operating Service System Hardware Small trusted CPU Resistant to physical attacks
Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated application memory Application Enclave Code Operating Service System Hardware Small trusted CPU Resistant to physical attacks
Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated application memory Application Enclave Code Operating Service System Hardware Small trusted CPU Resistant to physical attacks Model: Code and data can safely reside inside an enclave
Practical limitations of TEEs Applications inside enclaves cannot make syscalls Application Enclave Code Syscalls Operating Service System Untrusted Hardware
libOSes Idea: Implement a small “OS” inside the enclave Enclave Operating Service System Hardware
libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code libOS Service Operating Service System Hardware
libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" libOS Service Operating Service System Hardware
libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally libOS Service when possible Operating Service System Hardware
libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally libOS Service when possible Syscalls Operating Service System Hardware
Graphene-SGX A libOS for Intel SGX that supports some services Tsai et al., ATC 2017
Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: fork exec pipes, signals, semaphores Tsai et al., ATC 2017
Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple Web server exec tenants pipes, signals, semaphores Needs Cache disk Web Application Needs plaintext Firewall Needs Key Server safe storage
Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple Web server exec tenants pipes, signals, semaphores Needs Cache disk Also critical to a CDN: Web Application Reading & writing files Needs plaintext Firewall Shared memory Access to private keys Needs Key Server safe storage
Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple Web server exec tenants pipes, signals, semaphores Needs Cache disk Web Application Needs plaintext Firewall Needs Key Server safe storage
Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple Web server exec tenants pipes, signals, semaphores Needs Cache disk Also critical to a CDN: Web Application Reading & writing files Needs plaintext Firewall Shared memory Access to private keys Needs Key Server safe storage
Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache Cache Key Server Cache Web Application Firewall Web Application Firewall Web Application Firewall Insight: Treat enclaves like a distributed system Implement services using kernel servers
Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache TLS Cache Key Server Cache Web Application Firewall Web Application Enclaves mutually Firewall Web Application authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system Implement services using kernel servers
Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Private key operation Web server Enclave Cache TLS Cache Key Server Cache Web Application Firewall Web Application Enclaves mutually Firewall Web Application authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system Implement services using kernel servers
Recommend
More recommend